Menu ▾ ▴
Re: [Openvpn-devel] [PATCH] doc: The CRL processing is not a deprecated feature
| From: Steffan K. <ste...@fo...> - 2017-06-29 08:26:06 |
On 28-06-17 21:15, David Sommerseth wrote: > The note related to the CRL processing was somehow put into > the deprecated section. This is quite confusing. > > Since this is a fairly important change, and there have been > a noticable amount of supports questions related to OpenVPN > not starting due to CRL errors, I put this into the > "New features" section labelled as an improvement. Otherwise > I fear this would drown in the list of "User-visible Changes" > later on. > > Signed-off-by: David Sommerseth <da...@op...> > --- > Changes.rst | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/Changes.rst b/Changes.rst > index 9db0a451..0b2b04dd 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -44,6 +44,13 @@ ECDH key exchange > The TLS control channel now supports for elliptic curve diffie-hellmann > key exchange (ECDH). > > +Improved Certificate Revocation List (CRL) processing > + CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead > + of inside OpenVPN itself. The crypto library implementations are more > + strict than the OpenVPN implementation was. This might reject peer > + certificates that would previously be accepted. If this occurs, OpenVPN > + will log the crypto library's error description. > + > Dualstack round-robin DNS client connect > Instead of only using the first address of each ``--remote`` OpenVPN > will now try all addresses (IPv6 and IPv4) of a ``--remote`` entry. > @@ -160,12 +167,6 @@ Deprecated features > will then use ``--key-method 2`` by default. Note that this requires changing > the option in both the client and server side configs. > > -- CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead of > - inside OpenVPN itself. The crypto library implementations are more strict > - than the OpenVPN implementation was. This might reject peer certificates > - that would previously be accepted. If this occurs, OpenVPN will log the > - crypto library's error description. > - > - ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. Similar > functionality is provided via ``--verify-x509-name``, which does the same job in > a better way. > ACK -Steffan |
